Romain GERVAIS created ZEPPELIN-3747:
----------------------------------------
Summary: Impossible to do CORS
Key: ZEPPELIN-3747
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3747
Project: Zeppelin
Issue Type: Bug
Reporter: Romain GERVAIS
Hi,
The option 'zeppelin.server.allowed.origins' is not working as expected (at
least not to what I expect). Thus I can't do CORS.
+Expected behavior :+
The value of the reponse header "Access-Control-Allow-Origin" is equal to the
option "zeppelin.server.allowed.origins". Especially if you enter the value "*"
for this option the server (Zeppelin) should return a reponse header
"Access-Control-Allow-Origin: *". Allowing you du do CORS.
+Actual behavior :+
The server (Zeppelin) is returning the same value as the request header
"Origin". Thus you can't do CORS.
Exemple with request empty origin header :
{code:java}
$ curl -I http://zeppelin:8080/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 3657 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:--
0HTTP/1.1 200 OK
Date: Fri, 24 Aug 2018 13:07:30 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization,Content-Type
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE{code}
Exemple with request non empty origin header :
{code:java}
$ curl -I -H "Origin: bbb" http://zeppelin:8080/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 3657 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0HTTP/1.1 200 OK
Date: Fri, 24 Aug 2018 13:08:27 GMT
Access-Control-Allow-Origin: bbb
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization,Content-Type
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE{code}
You can't do CORS in this case. For CORS to work, a response from your server
(Zeppelin in this case) should tell the browser that it is allowed to call
other servers thanks to the Access-Control-Allow-Origin header.
+Possible cause :+
I took a look at your CorsFilter (
https://github.com/apache/zeppelin/blob/branch-0.7/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
) and I think this part of the implementation is incorrect :
{code:java}
String origin = "";
try {
if (SecurityUtils.isValidOrigin(sourceHost,
ZeppelinConfiguration.create())) {
origin = sourceHost;
}
} catch (URISyntaxException e) {
LOGGER.error("Exception in WebDriverManager while getWebDriver ", e);
}
{code}
"origin" souhld always be equal the the value entered in the option
"zeppelin.server.allowed.origins" not to the sourceHost. If the sourceHost is
returned, then you can only do AJAX on your sourceHost.
If I'm wrong : How do you do CORS in Zeppelin with the AngularJS interpreter ?
Best regards,
Romain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
